Recently, the security research team MalwareHunterTeam said it discovered a new Trojan horse program SectopRAT. This Trojan can be used to control browser sessions on infected computers, change browser configuration, and disable security measures.
A signed (Sectigo) C# malware, got told possible called "1xxbot" sample: b1e3b5de12f785c45d5ea3fc64412ce640a42652b4749cf73911029041468e3a
Used to create hidden desktop and run selected browser there with full control.
Related to AsataFar…
cc @James_inthe_box @VK_Intel @Antelox pic.twitter.com/bFPqTmrSp6
— MalwareHunterTeam (@malwrhunterteam) November 15, 2019
It is understood that the malicious program is mainly compiled by C#, including a RemoteClient.Config class, which has four values that can be configured: IP, retip, filename, and mutexName. The researchers on these four variables found that: 1. The IP variable is related to the Trojan horse’s command and control server; Second, the retip variable is designed to set up a new C2 intrusion prevention system; 3. The server can be overwritten with the “set IP” command. These defense systems; Fourth, Filename, and mutexName are set but are not in active use.
In addition, the researchers also found that the software seems to have some shortcomings: First, the use of hard-coded paths without environment variables to access the system files; Second, a command to obtain compiled decoder information has not been completed.
The researchers said that despite some obvious flaws in the program, the techniques involved in the program indicate that the attacker has a level of expertise, so experts suspect that the Trojan may be just a test product.